Table of Contents

Configuring Flexible NetFlow

Flow is defined as a unique set of key fields attributes, which might include fields of packet, packet routing attributes, and input and output interface information. A NetFlow feature defines a flow as a sequence of packets that have the same values for the feature key fields. Flexible NetFlow (FNF) allows you to collect and optionally export a flow record that specifies various flow attributes. NetFlow collection supports IP, IPv6 and Layer 2 traffic.

Note This chapter provides Catalyst 4500 switch specific information. For more information, refer to the URL:

VSS Environment

The following items apply to a Catalyst 4500 series switch w that belongs to a Virtual Switch System:

1. The Catalyst 4500 series switch supports ingress flow statistics collection for switched and routed packets; it does not support Flexible Netflow on egress traffic.

2. Each switch in an VSS has an independent NFE (Netflow Engine). This means that when there is ingress traffic on both the VSS Active and Standby switches, each is capable of creating flows for its ingress traffic

3. Configuration is performed on the VSS Active switch, which is synchronized to the VSS Standby switch.

4. Netflow show commands including Top Talkers, aggregate cache, and clear commands must be executed independently on VSS Active and Standby switch. The VSS Standby console will be available via remote console access from the VSS Active switch.

5. Supervisor Engine 7-E, Supervisor Engine 7L-E, and Catalyst 4500X support a 100,000 entry hardware flow table. Both VSS Active and Standby switch have independent hardware flow tables of 100,000 entries. The hardware flow table is shared by all the flow monitors on a switch. To prevent one monitor from using all the flow table entries, the number of entries that it uses on a switch can be limited by the cache entries number command. This limit is per flow monitor, irrespective of the number of targets it is attached to.

The following example illustrates how to configure the flow monitor m1 cache to hold 1000 entries. With this configuration, interface gig 1/3/1 (on the VSS Active) can create a maximum of 1000 flows and interface gig 2/3/2 (on the VSS Standby) can create a maximum of 1000 flows:

flow exporter e1

! exporter specifies where the flow records are send to

destination 20.1.20.4

!

flow record r1

! record specifies packet fields to collect

match ipv4 source address

match ipv4 destination address

collect counter bytes long

collect counter packets long

collect timestamp sys-uptime first

collect timestamp sys-uptime last

!

flow monitor m1

! monitor refers record configuration and optionally exporter

! configuration. It specifies the cache size i.e. how many unique flow

! records to collect

record r1

exporter e1

cache timeout active 60

cache timeout inactive 30

cache entries 1000

!interface GigabitEthernet 1/3/1

! layer2-switched allows collection of flow records even when the packet is

! bridged

ip flow monitor m1 layer2-switched input

!

interface GigabitEthernet 2/3/2

ip flow monitor m1 input

!

6. Flow collection is supported on multiple targets (Port, VLAN, per-port per-VLAN (FNF can be enabled on a specific VLAN on a given port)) and on a port-channel (FNF is configured on the port-channel interface, rather than individual member ports). These targets can be on the VSS Active or on the VSS Standby. For example, if the target is a VLAN, it can consist of ports belonging to both switches. If there is ingress traffic in that VLAN on both switches, flows will be created in their independent flow caches. However, no Netflow configuration can be applied on the Virtual Switch Link (VSL) ports.

Note The switch does not support tunnels and SVI statistics.

7. 64 unique flow record configurations are supported.

8. Flow QoS/UBRL and FNF cannot be configured on the same target. (For information on Flow-based QoS, see the section Flow-based QoS.)

9. 14,000 unique IPv6 addresses can be monitored.

10. On a given target, one monitor per traffic type is allowed. However, you can configure multiple monitors on the same target for different traffic types.

For example, the following configuration is allowed:

! vlan config 10

ip flow monitor <name> input

ipv6 flow monitor <name> input

!

The following configuration is not allowed:

!

interface GigabitEthernet 3/1

ip flow monitor m1 input

ip flow monitor m2 input

11. On a given target monitoring Layer 2 and Layer 3, simultaneous traffic is not supported:

interface channel-group 1

datalink flow monitor m1 input

ip flow monitor m2 input

!

12. Selection of Layer 2 and Layer 3 packet fields in a single flow record definition is not allowed. However, ingress 802.1Q VLAN Id of packet and Layer 3 packet field selection is allowed.

13. To attach a monitor to port or port-vlan targets, a flow record matching on ingress 802.1Q VLANId key field, must match on input interface also as key field.

Note The match datalink dot1q vlan input option is inavailable prior to IOS Release XE 3.3.0; you would only see the input option starting with the IOS Release XE 3.3.0.

14. Flow monitor matching on ingress 802.1Q VLANId as key field cannot be attached on a VNET trunk port target.

17. Supervisor Engine 7-E, Supervisor Engine 7L-E, and Catalyst 4500X do not support flow based sampler.

18. Packet length or TTL options are not supported with the ToS option.

19. The VSS Active and VSS Standby independently export flows, to the same or different Netflow collectors depending on flow exporter configuration. An IP route to the Netflow collector must exist and it is should be reachable from the VSS for flow export.

20. At the collector, the flow sequence numbers are local to a switch and will be monotonically increasing for each member of VSS. Additionally, the SourceId field of the v9 export packet uniquely identifies the VSS switch number that it was exported from.

21. The configuration of the flow exporter does not support the option output features.

22. Maximum number of VRFs that can be used for the flow exporter destination address configuration in VSS is 5. This limit includes the Global Routing Table and is common across all flow exporters in the VSS.

For example, when the user tries to configure an exporter destination address using a sixth VRF limit is exceeded, the following warning is displayed:

flow exporter e10

destination 20.1.20.4 vrf blue

%%Warning - Netflow exporter on Cat4k VSS switch cannot exceed a total max of 5 vrfs used for destination address

configuration. Flow exporter e10 cannot export in vrf blue.

23. Flow aging in flow cache is controlled through active and in-active timer configuration. The minimum for active and in-active aging timers is 5 seconds. The timers must be in units of 5 seconds.

Note Flows in the hardware table are deleted after 5 seconds of in-activity irrespective of the active or in-active timer configuration values. This allows you to create new hardware flows quickly.

24. First and Last-seen flow timestamp accuracy is within 3 seconds.

25. 2048 Flow monitors and records are supported.

When TTL is configured as a flow field, the following values are reported for a given packet TTL value.
Table 64-1 lists the packet TTL and reported values.

Table 64-1 TTL Map: TTL Configured

Packet TT Value

Reported Value

0

0

1

1

2-10

10

11-25

25

26-50

50

51-100

100

100-150

150

150-255

255

When packet length is configured as a flow field, the following values are reported for a given packet length value.
Table 64-2 lists the packet length and reported values.

Table 64-2 Packet Length Map: Packet Length Configured

Packet Length

Reported Value

0-64

64

65-128

128

129-256

256

257-512

512

513-756

756

757-1500

1500

1500-4000

4000

4000+

8192

The following table lists the options available through FNF and the supported fields.

Forwarding status for the packet (forwarded, terminated in the router, dropped by ACL, RPF, CAR)

Supported as a non-key field

Layer 4 Header Fields

Field

Description

Comments

TCP Header Fields

destination-port TCP destination number

TCP destination port

flags [ack] [fin] [psh] [rst] [syn] [urg]

TCP flags.

Supported as non-key fields.

source-port

TCP source port

UDP Header Fields

destination-port

UDP destination port

source-port

UDP source port

ICMP Header Fields

code

ICMP code

type

ICMP type

IGMP Header Fields

type

IGMP

Interface Fields

input

Input interface index

output

Input interface index

Output interface can be supported only as non-key.

Flexible NetFlow feature related fields

direction: input

Counter Fields

bytes

32 bit counters

bytes long

64 bit counter

packets

32 bit counters

packets long

64 bit counter of the packets in the flow

Timestamp

first seen

Time-stamp of the first packet that is accounted in the flow (in milliseconds, starting from the router boot-up)

3 sec accuracy

last seen

Time-stamp of the last packet that is accounted in the flow (in milliseconds, starting from the router boot-up)

3 sec accuracy

Configuring Flow Monitor Cache Values

Setting active cache timeout to a small value may cause the flows to be exported more frequently to the remote collector. This also causes software to delete flows from the local cache after exporting. So, cache statistics reported by switch may not display the actual flows being monitored.

Non-VSS Environment

The following items apply to the Catalyst 4500 series switch:

The Catalyst 4500 series switch supports ingress flow statistics collection for switched and routed packets; it does not support Flexible Netflow on egress traffic.

1. Supervisor Engine 7-E, Supervisor Engine 7L-E, and Catalyst 4500X support a 100,000 entry hardware flow table. The hardware flow table is shared by all the flow monitors on a switch. To prevent one monitor from using all the flow table entries, the number of entries that it uses on a switch can be limited by the cache entries number command. This limit is per flow monitor, irrespective of the number of targets it is attached to.

The following example illustrates how to configure the flow monitor m1 cache to hold 1000 entries. With this configuration, interface gig 3/1 can create a maximum of 1000 flows and interface gig 3/2 can create a maximum of 1000 flows:

flow exporter e1

! exporter specifies where the flow records are sent to

destination 20.1.20.4

!

flow record r1

! record specifies packet fields to collect

match ipv4 source address

match ipv4 destination address

collect counter bytes long

collect counter packets long

collect timestamp sys-uptime first

collect timestamp sys-uptime last

!

flow monitor m1

! monitor refers record configuration and optionally exporter

! configuration. It specifies the cache size i.e. how many unique flow

! records to collect

record r1

exporter e1

cache timeout active 60

cache timeout inactive 30

cache entries 1000

!interface GigabitEthernet 3/1

! layer2-switched allows collection of flow records even when the packet is

! bridged

ip flow monitor m1 layer2-switched input

!

interface GigabitEthernet 3/2

ip flow monitor m1 input

!

2. Flow collection is supported on multiple targets (Port, VLAN, per-port per-VLAN (FNF can be enabled on a specific VLAN on a given port)) and on a port-channel (FNF is configured on the port-channel interface, rather than individual member ports).

3. 64 unique flow record configurations are supported.

4. Flow QoS/UBRL and FNF cannot be configured on the same target. (For information on Flow-based QoS, see the section Flow-based QoS.)

5. 14,000 unique IPv6 addresses can be monitored.

6. On a given target, one monitor per traffic type is allowed. However, you can configure multiple monitors on the same target for different traffic types.

For example, the following configuration is allowed:

! vlan config 10

ip flow monitor <name> input

ipv6 flow monitor <name> input

!

The following configuration is not allowed:

!

interface GigabitEthernet 3/1

ip flow monitor m1 input

ip flow monitor m2 input

7. On a given target monitoring Layer 2 and Layer 3, simultaneous traffic is not supported:

interface channel-group 1

datalink flow monitor m1 input

ip flow monitor m2 input

!

8. Selection of Layer 2 and Layer 3 packet fields in a single flow record definition is disallowed. However, ingress 802.1Q VLAN Id of packet and Layer 3 packet field selection is allowed.

9. To attach a monitor to port or port-vlan targets, a flow record matching on ingress 802.1Q VLAN Id as the key field, must also match on the input interface as the key field.

Note Flow monitor matching on ingress 802.1Q VLAN Id as the key field cannot be attached on a VNET trunk port target.

Forwarding status for the packet (forwarded, terminated in the router, dropped by ACL, RPF, CAR)

Supported as a non-key field

Layer 4 Header Fields

Field

Description

Comments

TCP Header Fields

destination-port TCP destination number

TCP destination port

flags [ack] [fin] [psh] [rst] [syn] [urg]

TCP flags.

Supported as non-key fields.

source-port

TCP source port

UDP Header Fields

destination-port

UDP destination port

source-port

UDP source port

ICMP Header Fields

code

ICMP code

type

ICMP type

IGMP Header Fields

type

IGMP

Interface Fields

input

Input interface index

output

Output interface index

Output interface can be supported only as non-key.

Flexible NetFlow feature related fields

direction: input

Counter Fields

bytes

32 bit counters

bytes long

64 bit counter

packets

32 bit counters

packets long

64 bit counter of the packets in the flow

Timestamp

first seen

Time-stamp of the first packet that is accounted in the flow (in milliseconds, starting from the router boot-up)

3 sec accuracy

last seen

Time-stamp of the last packet that is accounted in the flow (in milliseconds, starting from the router boot-up)

3 sec accuracy

Configuring Flow Monitor Cache Values

Setting active cache timeout to a small value may cause the flows to be exported more frequently to the remote collector. This also causes software to delete flows from the local cache after exporting. So, cache statistics reported by switch may not display the actual flows being monitored.